How to encrypt your Android device

The debate in the US between law enforcement agencies and tech giants over smartphone encryption has once again brought the issue to center stage. There’s little doubt that keeping your personal data secure these days is pretty important, so it is fortunate that Android gives you the tools you need to secure your device right out of the box. If you have been wondering how to get started, this guide will walk you through how to encrypt Android smartphones and tablets.

What is device encryption and what does it do?

Before we go through how to enable it, it is probably best to understand what exactly encryption is and what the pros and cons are.

Device encryption is not a one-stop solution for protecting all of your data and information from prying eyes, especially when you are sending data over the internet. Instead, device encryption converts all of the data stored on your phone into a form that can only be read with the correct credentials. This goes above and beyond a regular lock screen password, as data can still be accessed from behind this screen with some specialized knowledge and use of recoveries, bootloaders, or the Android Debug Bridge.

Once encrypted, your music, photos, apps, and account data can’t be read without first unjumbling the information using a unique key. There’s a fair bit of stuff going on behind the scenes, where a user password is converted into a key that is stored in a “Trusted Execution Environment” to keep it secure from software attacks. This key is then required to encrypt and decrypt files, sort of like those alphabet cypher puzzles that scramble up letters.

With Android this is very simple from a user’s viewpoint though, you just enter your passcode whenever you boot up or unlock the device and all of your files will be accessible. This means that if your handset falls into the wrong hands, no-one else will be able to make sense of any of the data on your phone without knowing your password.

Before you leap in, there are a couple of points to consider. Firstly, opening up encrypted files requires additional processing power, so this will take a slight toll on the performance of your handset. Memory reading speeds can be a lot slower on older devices, but the performance hit in the vast majority of regular tasks is only very minor, if even noticeable at all.

Secondly, only some smartphones will offer an option to remove encryption from your handset. Encryption is a one way only process for most smartphones and tablets. If your handset doesn’t offer an option to decrypt the entire phone, the only option is to perform a complete factory reset that removed all of your personal data from the device. So check this out with your manufacturer beforehand.

With that out of the way, let’s explore how to turn encryption on.

How to encrypt my Android device?

Device encryption works in the much the same way across all Android devices, but the methods for enabling it have changed ever so slightly over the years. Most devices come with encryption enabled by default these days, particularly those running newer versions of Android. For example, every Pixel smartphone, the Nexus 6P, the Nexus 5X, and even the Nexus 6 and Nexus 9 have encryption enabled by default. If not, Android makes this a very simple process.

Android 5.0 or higher

For Android handsets and tablets running Android 5.0 Lollipop or newer, you can navigate straight to the “Security” menu under settings. Getting here might be slightly different depending on your OEM, but with stock Android this can be found under Settings > Personal > Security.

Here you should see an option to “Encrypt phone” or “Encrypt tablet”. You’ll be asked to plug your phone in to charge while the process takes place, just to make sure that your phone doesn’t shut off and cause errors. If you haven’t done so already, you will be prompted to set lock screen PIN or password, which you will need to enter when you turn your phone on or unlock it in order to access your newly encrypted files. Be sure to remember this password!

Android 4.4 or lower

If you’re running a handset with Android 4.4 KitKat or lower, you will have to setup a PIN or password before starting up the encryption process. Fortunately this is simple enough, head on over to Settings > Security > Screen Lock. Here you can either pick a pattern, numbered PIN, or mixed password for your lock screen. This will be the same password used after encryption, so make a note of it.

Once that’s done, you can go back to the Security menu and hit “Encrypt phone” or “Encrypt tablet.” You’ll need to have your phone plugged in and read through the warning messages, and you will almost certainly have to confirm your PIN or password one last time before the encryption process starts.

Encrypting your phone can take an hour or more, depending on how powerful your handset is and the amount of data that you have saved on the device. Once the process is finally finished you can enter your PIN and start using your newly encrypted device.

Back in the Security menu, you will also likely spot an option to encrypt files on your microSD card as well. This is a recommended step you want to keep all of your data secure, but isn’t really necessary if you’re just using your microSD card to save music or films that aren’t particularly personal.

There are a few caveats here too. Firstly, you will no longer be able to use your microSD card with other devices without completely removing the encryption first, as other phones or computers won’t know the key. Although an encrypted microSD card is still completely transparent to move files to and from over USB, just so long as you access the encrypted files from the phone used to encrypt it. Furthermore, if you reset your device before selecting decrypt then the encryption key will be lost and you won’t be able to gain access the secure files on your microSD card. So think about this one carefully.

And you’re done

That’s it, is really is that simple to encrypt Android devices and is a great way to keep your data a lot more secure. There are minimal trade-offs in terms of performance, but any differences should be very hard to notice on modern handsets.

Extra options with third party apps

If you don’t fancy committing yourself to full device encryption, there are a small number of Encrypt Android apps in the Play Store that offer up a section of different features, including single file, text, and folder encryption options.

SSE – Universal Encryption App

SSE has been running for quite a while and still appears to be receiving little updates every now and again. Rather than mass encrypting your entire phone, SSE can be used to secure and decrypt individual files or directories, which you might prefer if you just want to keep a few things secure. You can set passwords to work as your decrypt key and there’s an option to either create encrypted copies of files or completely replace them.

The app also features a text encryptor and a password vault. The text editor can be used for keeping encrypted notes and these can be shared across platforms. The vault is designed to store and manage all of your passwords, PINs, and notes in one secure place protected by one master password. Sort of like an encrypted LastPass on your device.

Crypto Ghost- File Encryption

If you’re looking for a way to share encrypted and signed files with your contacts, then it might be worth checking out Crypto Ghost.

This app can secure your files with a personal key using your email and password, which has the added convenience of making your password retrievable. You can also generate a separate password for files so that you can share them with your friends without having to expose your main password. It’s not possible to encrypt files to share using the default Android method, as they are decrypted on the device first and you can’t reproduce keys for use on other devices. So this is a handy solution for sharing files that you might not want others to see.

Safe Camera – Photo Encryption

Perhaps you don’t really have that many files that you’re too concerned about and maybe just want to keep your pictures safe, then you could use an app like Safe Camera. Safe Camera encrypts your photos as soon as you take them, and they can then be viewed from the dedicated gallery. The camera app is relatively basic, with flash and timer options but not much else.

Once you’ve taken your pictures you can share them using your master password for the app, a unique password, or even decrypt them if you want to. There’s also an option to import and secure existing photos, and the app also supports GIFs.

Speaking of communication, there are also a number of apps which offer encrypted communications over both the web and text. Although these apps require you to set-up and share keys with your partners, so there’s a fair bit more work involved here.

New Android security and encryption features

As mentioned, most new Android smartphones have device encryption automatically. A big change that was introduced a couple of years ago with Android 7.0 Nougat was Direct Boot. Before Direct Boot, your entire encrypted phone would be locked down until you enter the password. Since Nougat, the system allows a small selection of software to run as soon as you turn on your phone. This means that phone calls, alarms, and the like can right away from boot, while apps that you download and more personal data won’t work until you enter the password.

This was a part of Google’s revised approach to encryption, which saw the old entire partition encryption method replaced by file-level encryption. File-level encryption is faster on older devices because the system doesn’t have to decrypt huge chunks of data all at once. This method has the added benefit of granting apps much finer control over the data that is and isn’t decrypted, which can significantly improve security in the event that a system is compromised.

Google continued to further improve its security features with Android 8.0 Oreo with more granular control over app permissions, additions to the Verified Boot feature, native two-factor authentication support, and more. More importantly, Oreo also introduced enhanced encryption for the enterprise. All devices are able to utilize separate encryption keys for personal and work profiles. Device administrators are also given the ability to activate work profile keys remotely to ensure complete data protection. Oreo also brought Project Treble with it, which was another big step to ensure faster delivery of software and security updates.

The recently released Android 9.0 Pie introduced some key privacy and encryption features as well. Now, apps running in the background will no longer have access to the mic and camera and other sensors (other than GPS). Also huge is the addition of client-side encryption.

While all data backed up from your Android device to Google’s servers is encrypted, it is encrypted by Google for Google. In other words, Google can still technically access it. With Android Pie, backups are now encrypted with a client-side secret. As before, your data travels over a secure, encrypted connection to Google’s servers, but the actual data is encrypted using a password that only you know. This also means your PIN, pattern, or password is required to restore data from the backups.

Final Thoughts

Given the amount of sensitive personal information that we keep on our mobile devices these days, including banking details, encrypting your Android device is a very sensible decision. There are quite a few options out there offering various levels of security, from system wide Android encryption to apps dedicated to protecting more specific files. Keep in mind though, encryption won’t give you complete protection from everything, but it offers excellent protection in the case of stolen devices.